Define Gateway Endpoints for a BOVPN Virtual Interface

Gateway endpoints are the local and remote gateways that are connected by a BOVPN. The gateway endpoints configuration enables your Firebox to specify how to identify and communicate with the remote endpoint device when it negotiates the BOVPN. It also enables the device to specify how to identify itself to the remote endpoint when it negotiates the BOVPN. You must configure at least one gateway endpoint pair when you add a BOVPN virtual interface.

You can configure multiple gateway endpoints for VPN failover. For more information, go toe Configure Branch Office VPN (BOVPN) Failover.

You can specify different pre-shared keys for each gateway endpoint of a virtual interface. For an example of a configuration with different pre-shared keys, go to BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS).

In Fireware v12.2 or higher, you can specify a secondary interface IP address as a gateway endpoint. By default, the primary IP address configured on the external interface you specify is used.

In Fireware v12.1.x or lower, do not use a secondary interface IP address as a gateway endpoint. If you configure a gateway endpoint with a secondary interface IP address, the BOVPN connection might fail if the local Firebox initiates the BOVPN connection. This is because the Firebox initiates the connection with the primary interface IP address. If the remote endpoint initiates the BOVPN connection and specifies the secondary interface IP address, the connection succeeds.

Local Gateway

In the Local Gateway settings, you configure the gateway ID and the interface the BOVPN connects to on your Firebox. You can configure a BOVPN virtual interface to use any internal or external interface as the local gateway.

For the gateway ID, if you have a static IP address you can select By IP Address. If you have a domain that resolves to the IP address the BOVPN connects to on your Firebox, select By Domain Information.

Remote Gateway

You can configure the gateway IP address and gateway ID for the remote endpoint device that the BOVPN connects to. The gateway IP address can be either a static IP address or a dynamic IP address. The gateway ID can be By Domain Name, By User ID on Domain, or By x500 Name. The administrator of the remote gateway device selects which gateway ID type to use.

If the remote VPN endpoint gets an external IP address from DHCP or PPPoE, set the ID type of the remote gateway to Domain Name. Set the peer name to the fully qualified domain name of the remote VPN endpoint. The Firebox uses the IP address and domain name to find the VPN endpoint. Make sure the DNS server the device uses can identify the name.

Advanced Settings

You can configure these options on the Advanced Settings tab:

CA Certificate

(Fireware v12.6.2 or higher) This option appears if you select a certificate for authentication. When you enable this option, you must select a root or intermediate CA certificate from the CA Certificate drop-down list. The Firebox uses that CA certificate to verify the certificate received from VPN peer. The certificate from the VPN peer must be part of the certificate chain that includes the specified root or intermediate CA certificate. If the peer certificate is not part of the chain, the Firebox rejects Phase 1 tunnel negotiations.

Screenshot of the CA Certificate setting in Fireware Web UI

Different pre-shared key

You can specify different pre-shared keys for each gateway endpoint. You might select this option if you configure a VPN between a Firebox and third-party endpoint, and the third-party endpoint requires each gateway endpoint to have a different pre-shared key.

(Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.

DF Bit

The Don't Fragment (DF) bit is a flag in the header of a packet. You can select Copy, Set, or Clear to control whether the Firebox uses the original DF bit setting in the packet header:

Screenshot of the DF bit setting in Fireware Web UI
The DF bit setting in Fireware Web UI

Screenshot of the DF bit setting in Policy Manager
The DF bit setting in Policy Manager

  • Copy — This option applies the DF bit setting of the original frame to the IPSec encrypted packet.
    If a frame does not have the DF bits set, the Firebox does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, the Firebox encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.
  • Set — This option instructs the Firebox to not fragment the frame regardless of the original bit setting.
    If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.
  • Clear — This option breaks the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.

In Fireware v12.2 or lower, you can only configure the DF Bit setting in the external interface settings.

In Fireware v12.2.1 or higher, you can configure the DF Bit setting in the BOVPN gateway endpoint settings. This setting takes effect immediately. The DF Bit setting specified for the gateway endpoint overrides the DF Bit setting specified for the external interface.

If you do not specify a DF Bit setting for the gateway endpoint, the gateway endpoint uses the DF Bit setting specified in the external interface settings. For more information about the DF Bit setting in the external interface settings, go to Define Gateway Endpoints for a BOVPN Gateway.

PMTU

The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the Firebox lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower MTU setting on the Internet.

In Fireware v12.2.1 or higher, you can configure PMTU settings in the BOVPN gateway endpoint settings. The PMTU settings specified for the gateway endpoint override the PMTU settings specified for the external interface. If you do not specify PMTU settings for a gateway endpoint, the gateway endpoint uses the PMTU settings specified in the external interface settings.

We recommend that you keep the default setting. This can protect you from a router on the Internet with a very low MTU setting.

Screenshot of the PMTU bit setting in Fireware Web UI
The PMTU bit setting in Fireware Web UI

Screenshot of the PMTU bit setting in Policy Manager
The PMTU bit setting in Policy Manager

Related Topics

Configure Manual BOVPN Gateways

Configure Manual BOVPN Tunnels